File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 9090 push : ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }}
9191 tags : ${{ steps.meta.outputs.tags }}
9292 labels : ${{ steps.meta.outputs.labels }}
93+
94+ verify :
95+ needs : [goreleaser, provenance]
96+ if : ${{ startsWith(github.ref, 'refs/tags/v') }}
97+ runs-on : ubuntu-latest
98+ permissions :
99+ contents : read
100+ env :
101+ CHECKSUMS : ${{ needs.goreleaser.outputs.hashes }}
102+ PROVENANCE : " ${{ needs.provenance.outputs.provenance-name }}"
103+ steps :
104+ - uses : slsa-framework/slsa-verifier/actions/installer@v2.5.1
105+ - name : download assets
106+ env :
107+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
108+ run : |
109+ set -euo pipefail
110+ gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
111+ gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip"
112+ gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
113+ name : verify assets
114+ run : |
115+ set -euo pipefail
116+ checksums=$(echo "$CHECKSUMS" | base64 -d)
117+ while read -r line; do
118+ fn=$(echo $line | cut -d ' ' -f2)
119+ echo "Verifying $fn"
120+ slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
121+ --source-uri "github.com/$GITHUB_REPOSITORY" \
122+ --source-tag "$GITHUB_REF_NAME" \
123+ "$fn"
124+ done <<<"$checksums"
You can’t perform that action at this time.
0 commit comments